#include "gssapiP_eap.h"
+unsigned char
+rfc4121Flags(gss_ctx_id_t ctx, int receiving)
+{
+ unsigned char flags;
+ int isAcceptor;
+
+ isAcceptor = !CTX_IS_INITIATOR(ctx);
+ if (receiving)
+ isAcceptor = !isAcceptor;
+
+ flags = 0;
+ if (isAcceptor)
+ flags |= TOK_FLAG_SENDER_IS_ACCEPTOR;
+
+ if ((ctx->flags & CTX_FLAG_KRB_REAUTH_GSS) &&
+ (ctx->gssFlags & GSS_C_MUTUAL_FLAG))
+ flags |= TOK_FLAG_ACCEPTOR_SUBKEY;
+
+ return flags;
+}
+
OM_uint32
gssEapWrapOrGetMIC(OM_uint32 *minor,
gss_ctx_id_t ctx,
gss_iov_buffer_t header;
gss_iov_buffer_t padding;
gss_iov_buffer_t trailer;
- unsigned char acceptorFlag;
+ unsigned char flags;
unsigned char *outbuf = NULL;
unsigned char *tbuf = NULL;
int keyUsage;
size_t dataLen, assocDataLen;
krb5_context krbContext;
- if (!CTX_IS_ESTABLISHED(ctx))
- return GSS_S_NO_CONTEXT;
+ if (ctx->encryptionType == ENCTYPE_NULL)
+ return GSS_S_UNAVAILABLE;
GSSEAP_KRB_INIT(&krbContext);
- acceptorFlag = CTX_IS_INITIATOR(ctx) ? 0 : TOK_FLAG_SENDER_IS_ACCEPTOR;
- keyUsage = ((toktype == TOK_TYPE_WRAP)
- ? (CTX_IS_INITIATOR(ctx)
+ flags = rfc4121Flags(ctx, FALSE);
+
+ if (toktype == TOK_TYPE_WRAP) {
+ keyUsage = CTX_IS_INITIATOR(ctx)
? KEY_USAGE_INITIATOR_SEAL
- : KEY_USAGE_ACCEPTOR_SEAL)
- : (CTX_IS_INITIATOR(ctx)
+ : KEY_USAGE_ACCEPTOR_SEAL;
+ } else {
+ keyUsage = CTX_IS_INITIATOR(ctx)
? KEY_USAGE_INITIATOR_SIGN
- : KEY_USAGE_ACCEPTOR_SIGN));
+ : KEY_USAGE_ACCEPTOR_SIGN;
+ }
gssEapIovMessageLength(iov, iov_count, &dataLen, &assocDataLen);
/* TOK_ID */
store_uint16_be((uint16_t)toktype, outbuf);
/* flags */
- outbuf[2] = (acceptorFlag
- | (conf_req_flag ? TOK_FLAG_WRAP_CONFIDENTIAL : 0)
- | (0 ? TOK_FLAG_ACCEPTOR_SUBKEY : 0));
+ outbuf[2] = flags
+ | (conf_req_flag ? TOK_FLAG_WRAP_CONFIDENTIAL : 0);
/* filler */
outbuf[3] = 0xFF;
/* EC */
store_uint16_be(ec, outbuf + 4);
/* RRC */
store_uint16_be(0, outbuf + 6);
- store_64_be(ctx->sendSeq, outbuf + 8);
+ store_uint64_be(ctx->sendSeq, outbuf + 8);
/*
* EC | copy of header to be encrypted, located in
/* TOK_ID */
store_uint16_be((uint16_t)toktype, outbuf);
/* flags */
- outbuf[2] = (acceptorFlag
- | (0 ? TOK_FLAG_ACCEPTOR_SUBKEY : 0));
+ outbuf[2] = flags;
/* filler */
outbuf[3] = 0xFF;
if (toktype == TOK_TYPE_WRAP) {
store_uint16_be(0xFFFF, outbuf + 4);
store_uint16_be(0xFFFF, outbuf + 6);
}
- store_64_be(ctx->sendSeq, outbuf + 8);
+ store_uint64_be(ctx->sendSeq, outbuf + 8);
code = gssEapSign(krbContext, ctx->checksumType,
rrc, &ctx->rfc3961Key, keyUsage,
*minor = code;
- if (code == 0)
- return GSS_S_FAILURE;
- else
- return GSS_S_COMPLETE;
+ return (code == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
OM_uint32
gss_iov_buffer_desc *iov,
int iov_count)
{
- return gssEapWrapOrGetMIC(minor, ctx, conf_req_flag, conf_state,
- iov, iov_count, TOK_TYPE_WRAP);
+ OM_uint32 major;
+
+ if (ctx == GSS_C_NO_CONTEXT) {
+ *minor = EINVAL;
+ return GSS_S_NO_CONTEXT;
+ }
+
+ *minor = 0;
+
+ GSSEAP_MUTEX_LOCK(&ctx->mutex);
+
+ if (!CTX_IS_ESTABLISHED(ctx)) {
+ major = GSS_S_NO_CONTEXT;
+ goto cleanup;
+ }
+
+ major = gssEapWrapOrGetMIC(minor, ctx, conf_req_flag, conf_state,
+ iov, iov_count, TOK_TYPE_WRAP);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+cleanup:
+ GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
+
+ return major;
}